Share:

Millions of hacked LinkedIn IDs advertised 'for sale'

Posted on May 20, 2016

A hacker is advertising what he says is more than one hundred million LinkedIn logins for sale.

The IDs were reportedly sourced from a breach four years ago, which had previously been thought to have included a fraction of that number.

At the time, the business-focused social network said it had reset the accounts of those it thought had been compromised.

LinkedIn now plans to repeat the measure on a much larger scale.

One expert said the service should have reset all its accounts the first time round.

LinkedIn is often used to send work-related messages and to find career opportunities - activities its members would want to stay private.

Criminals could make use of this information or see if its subscribers had used the same passwords elsewhere.

"We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords," a spokeswoman for the California-based firm told the BBC.

"We have no indication that this is a result of a new security breach.

"We encourage our members to visit our safety centre to ensure they have two-step verification authentication and to use strong passwords in order to keep their accounts as safe as possible."

"They've looked at the passwords in the dump and confirmed they're legitimate."

Another expert noted that the problem stemmed from the fact that LinkedIn had originally "hashed" its passwords but not "salted" them before storing them.

Hashing involves using an algorithm to convert passwords into a long string of digits. Salting is an additional step meant to stop unauthorised parties from being able to work around the process.

"A salt involves adding a few random characters, which are different on a per-user basis, to the passwords [before they are hashed]," explained Rik Ferguson, chief technology officer at the cybersecurity firm Trend Micro.

By doing this, he added, you prevent hackers from being able to refer to so-called "rainbow tables" that list commonly-used passwords and the various hashes they produce, and then see if any of the hashes match those in the stolen database.

LinkedIn introduced salting after the attack, but that only benefits the login databases it generated afterwards.

"Using salting is absolutely best practice for storing passwords under any circumstances and was the case back in 2012 as well," Mr Ferguson said.

"If LinkedIn is saying now that it didn't know which accounts had been affected by the breach, then the sensible thing to have done at the time would have been a system-wide forced reset of every password."